[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f-byGUM55pbygS_5L1tdvoCKyq8qh7RawHzT_FG0Tb58":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":26,"research_started_at":27,"research_completed_at":28,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":29},"CVE-2025-14342","seo-plugin-by-squirrly-seo-missing-authorization-to-authenticated-subscriber-cloud-service-disconnection","SEO Plugin by Squirrly SEO \u003C= 12.4.14 - Missing Authorization to Authenticated (Subscriber+) Cloud Service Disconnection","The SEO Plugin by Squirrly SEO plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the sq_ajax_uninstall function in all versions up to, and including, 12.4.14. This makes it possible for authenticated attackers, with Subscriber-level access and above, to disconnect the site from Squirrly's cloud service.","squirrly-seo",null,"\u003C=12.4.14","12.4.15","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-18 16:09:56","2026-02-19 04:36:17",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F7ad25948-3265-4c4c-9b99-86f7240600ce?source=api-prod",1,[],"researched",false,3,"# Exploitation Research Plan: CVE-2025-14342 (Squirrly SEO)\n\n## 1. Vulnerability Summary\nThe **SEO Plugin by Squirrly SEO** (versions \u003C= 12.4.14) contains a missing authorization vulnerability in its AJAX handling logic. Specifically, the function `sq_ajax_uninstall` (inferred action: `sq_uninstall`) fails to implement a capability check (e.g., `current_user_can('manage_options')`). This allows any authenticated user, including those with **Subscriber** roles, to trigger the plugin's disconnection from the Squirrly cloud service, potentially disrupting SEO features and deleting local configuration data associated with the cloud connection.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action:** `sq_uninstall` (inferred from function name `sq_ajax_uninstall`)\n- **Method:** `POST`\n- **Authentication:** Required (Subscriber-level or higher)\n- **Parameters:**\n    - `action`: `sq_uninstall`\n    - `nonce`: A WordPress nonce for the specific action (if enforced).\n- **Preconditions:** The plugin must be installed and active. The vulnerability is most impactful if the site is currently connected to the Squirrly Cloud (token stored in options).\n\n## 3. Code Flow (Inferred)\n1. **Entry Point:** The plugin registers an AJAX action for authenticated users.\n   - Code: `add_action('wp_ajax_sq_uninstall', array($controller, 'sq_ajax_uninstall'));`\n2. **Vulnerable Handler:** The method `sq_ajax_uninstall` is executed.\n3. **Missing Check:** Inside `sq_ajax_uninstall`, the code likely proceeds to call a disconnection or cleanup method (e.g., `SQ_Classes_RemoteController::uninstall()`) without checking if the current user has administrative privileges.\n4. **Sink:** The plugin updates or deletes options like `sq_cloud_token`, `sq_api_token`, or site-specific metadata, effectively severing the link to the Squirrly cloud services.\n\n## 4. Nonce Acquisition Strategy\nEven though authorization is missing, WordPress AJAX handlers typically check for a CSRF nonce. \n\n1. **Identify Localization:** Squirrly SEO often localizes its configuration via `wp_localize_script`. We need to find the script handle and the variable name.\n2. **Search for Nonce Action:** Look for `wp_create_nonce('sq_uninstall')` or `wp_create_nonce('sq_ajax_uninstall')` in the plugin source.\n3. **Extraction Steps:**\n   - Create a Subscriber user.\n   - Log in as the Subscriber.\n   - Access the WordPress Dashboard (`\u002Fwp-admin\u002Findex.php`).\n   - Squirrly likely enqueues its admin scripts for all users if it doesn't restrict the `admin_enqueue_scripts` hook.\n   - Use `browser_eval` to check for common Squirrly JS objects:\n     - `browser_eval(\"window.sq_config?.nonce\")`\n     - `browser_eval(\"window.SQ_Design?.nonce\")`\n     - `browser_eval(\"window.sq_uninstall_nonce\")` (inferred)\n4. **Bypass Check:** If the code uses `check_ajax_referer('sq_uninstall', 'nonce', false)` and fails to check the return value, the nonce can be omitted or be invalid.\n\n## 5. Exploitation Strategy\n### Step 1: Authentication\nLogin as a Subscriber user to obtain a session cookie.\n\n### Step 2: Nonce Retrieval\nNavigate to the dashboard and extract the nonce using the `browser_eval` tool.\n\n### Step 3: Trigger Disconnection\nSend an authenticated POST request to the AJAX endpoint.\n\n**HTTP Request:**\n```http\nPOST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\nHost: target.local\nContent-Type: application\u002Fx-www-form-urlencoded\nCookie: [Subscriber Cookies]\n\naction=sq_uninstall&nonce=[EXTRACTED_NONCE]\n```\n\n### Step 4: Verification\nConfirm that the cloud connection is severed by checking plugin options.\n\n## 6. Test Data Setup\n1. **Install Plugin:** Install Squirrly SEO version 12.4.14.\n2. **Simulate Connection:** Set a dummy cloud token in the database to verify it gets cleared.\n   - `wp option update sq_api_token \"fake_token_12345\"`\n   - `wp option update sq_cloud_connect \"1\"`\n3. **Create Attacker:** \n   - `wp user create attacker attacker@example.com --role=subscriber --user_pass=password123`\n\n## 7. Expected Results\n- The server should return a successful response (likely JSON `{\"success\": true}` or `1`).\n- The database option `sq_api_token` or similar should be empty or deleted.\n- The Squirrly SEO dashboard should now show the site as \"Disconnected\" or prompt for login.\n\n## 8. Verification Steps\nAfter the HTTP request, use WP-CLI to check the state of the configuration:\n1. `wp option get sq_api_token` (Expected: Error or empty string).\n2. `wp option get sq_cloud_connect` (Expected: \"0\" or empty).\n\n## 9. Alternative Approaches\n- **Missing Nonce:** If `sq_uninstall` does not exist, search for `sq_disconnect` or `sq_ajax_disconnect`.\n- **Global Nonce:** If no specific `sq_uninstall` nonce exists, check if Squirrly uses a generic nonce for all its AJAX actions, often found in `sq_config.nonce`.\n- **Parameter Variation:** Try adding `confirmed=1` or `force=1` if the function has internal logic checks to prevent accidental uninstalls.","gemini-3-flash-preview","2026-04-19 02:53:28","2026-04-19 02:55:08",{"type":30,"vulnerable_version":31,"fixed_version":11,"vulnerable_browse":32,"vulnerable_zip":33,"fixed_browse":34,"fixed_zip":35,"all_tags":36},"plugin","12.4.14","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsquirrly-seo\u002Ftags\u002F12.4.14","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsquirrly-seo.12.4.14.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsquirrly-seo\u002Ftags\u002F12.4.15","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsquirrly-seo.12.4.15.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsquirrly-seo\u002Ftags"]